Skip to main content

500.5 - Internal Audit Quality Assurance and Improvement Program

University Group Policy #500.5

I.  Policy Statement

Internal auditing’s quality assurance and improvement program (“QAIP”) is designed to provide reasonable assurance to the various stakeholders of the internal audit activity. The QAIP function will be performed by a relatively small staff (from one part-time person to two or three people, depending on the size of the internal audit activity and the extent to which the CAO wishes to delegate administrative matters).

II.     Definitions

The words “assist, administer, oversee, monitor, and maintain” are intended to indicate that the internal audit person(s) responsible for the QAIP will not physically perform much of this work.

III.    Guidelines

Internal Assessments

  1. Ongoing Reviews – Ongoing assessments are conducted through:
    • Supervision of engagements.
    • Regular, documented review of work papers during engagements by appropriate internal audit staff.
    • Audit policies and procedures used for each engagement to ensure compliance with applicable planning, fieldwork, and reporting standards.
    • Feedback from customer survey on individual engagements.
    • Analyses of performance metrics established.
    • All final reports and recommendations are approved by the CAO.
  2. Periodic Reviews – Periodic assessments are designed to assess conformance with the internal audit charter, the Standards, the Code of Ethics, and the efficiency and effectiveness of internal auditing in meeting the needs of its various stakeholders. Periodic assessments will be conducted through:
    • Annual customer survey.
    • Annual risk assessments for purposes of annual audit planning.
    • Semiannual work paper reviews for performance in accordance with internal audit policies and the Standards (using Tool 17 of The IIA’s Quality Assessment Manual).
    • Review of internal audit performance metrics and benchmarking of successful practices, prepared and analyzed in accordance with audit policies and procedures.
    • Periodic activity and performance reporting to the chancellor and the audit committee.

External Assessments

  1. General Considerations – External assessments will appraise and express an opinion about internal auditing’s conformance with the Standards and will include recommendations for improvement as appropriate.
  2. Timing – An external assessment will be conducted every five years.
  3. Scope of External Assessment – The external assessment will consist of a broad scope of coverage that includes the following elements of internal audit activity:
    • Conformance with the Standards; the Code of Ethics; and internal auditing’s charter, plans, policies, procedures, and practices; and any applicable legislative and regulatory requirements.
    • Expectations of internal auditing as expressed by the board of directors, executive management, and operational managers.
    • Integration of the internal audit activity into Winston-Salem State University’s (WSSU) governance process, including the audit relationship between and among the key groups involved in the process.
    • Tools and techniques used by internal auditing.
    • The mix of knowledge, experiences, and disciplines within the staff, including staff focus on process improvement.
    • A determination on whether internal auditing adds value and improves WSSU’s operations.
  4. Considerations – The qualifications and considerations of external reviewers, as noted in The IIA’s Practice Advisory 1312-1, will be considered when contracting with an outside party to conduct a review.

Reporting on Quality Programs

  1. Internal Assessments – Results of internal assessments will be reported to the audit committee and the chancellor at least annually.
  2. External Assessments – Results of external assessments will be provided to the chancellor and the audit committee. The external assessment report will be accompanied by a written action plan in response to significant comments and recommendations contained in the report.
  3. Follow-up – The CAO will implement appropriate follow-up actions to ensure that recommendations made in the report and action plans developed are implemented in a reasonable time frame.

Administrative Matters

This policy will be updated appropriately for changes in the Standards or internal auditing’s operating environment.


IV.    Roles and Responsibilities

It will be assigned to internal audit managers and staff, but overseen, administered, etc., by the QAIP function, which will determine if the office:

  1. Performs its work in accordance with its charter, which is consistent with The Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing (Standards) and Code of Ethics.
  2. Operates in an effective and efficient manner.
  3. Is perceived by stakeholders as adding value and improving internal auditing’s operations. To that end, internal auditing’s QAIP:
    • Covers all aspects of the internal audit activity.
    • Continually monitors the internal audit activity’s effectiveness.
    • Assures compliance with the Standards and Code of Ethics.
    • Helps the internal audit activity add value and improve organizational operations.
    • Includes both periodic and ongoing internal assessments.
    • Includes an external assessment at least once every five years, the results of which are communicated to the board of directors through the audit committee of the board of directors.

The chief audit officer (CAO) is ultimately responsible for the QAIP, which covers all types of internal audit activities, including consulting.

Internal Audit Components

  • Oversee the development and implementation of internal audit policies/procedures; administer/maintain the policy/procedures manual.
  • Assist the CAO and audit managers with budgeting and financial administration for internal auditing.
  • Maintain and update the comprehensive audit risk universe, including gathering and incorporating new information impacting the universe.
  • Administer the general operation of the system for evaluation of audit risk and long-range planning — assisting the CAO and the audit managers in this area.
  • Assist internal audit management in the acquisition and maintenance of audit tools and use of technology.
  • Oversee the training/development of staff, including selection and administration of training courses; administer the career planning and performance evaluation processes in internal auditing.
  • Oversee the system(s) for internal audit statistics/metrics; administer the system for post-audit and other surveys of internal audit customers.
  • Administer/monitor quality assurance and process improvement activities, including formal quality assessment processes (using the tools from The IIA’s Quality Assessment Manual).
  • Oversee/administer information gathering and preparation of the periodic summary reports by internal auditing to senior management and the audit committee (including reports of the results of internal and external quality assessments).
  • Administer/maintain the comprehensive follow-up database for recommendations and action plans resulting from internal audit engagements and the work of external auditors and other internal evaluation and investigation functions.
  • Assist the CAO, audit managers, and internal audit staff in keeping current on changes and emerging successful practices of the internal audit profession; undertake research into other emerging issues and opportunities under the direction of internal audit management.

V.     Applicability

This policy is applicable to Internal Audit.

Responsible Division: Chief Audit, Risk & Compliance Officer

Authority: Board of Trustees


  • Adopted December 6, 2013